Insufficient Token Length

PY028

insufficient_token_length

CWE-326

⚠️ Warning

---

Tokens are often used as security-critical elements, such as for authentication, session management, or as part of cryptographic operations. The strength of a token is significantly influenced by its length and the randomness of its generation. Tokens with insufficient byte lengths lack the necessary entropy to withstand brute-force attacks, leading to a potential compromise of the system's security integrity.

All calls to secrets.token_bytes(), secrets.token_hex(), and secrets.token_urlsafe() MUST specify a byte size of at least 32. This requirement ensures that the generated tokens have a strong level of cryptographic security, reducing the risk of unauthorized access through token prediction or brute-force attacks.

Example

---

warning

import secrets


token = secrets.token_bytes(16)

Remediation

---

fix

Its recommended to increase the token size to at least 32 bytes or leave the nbytes parameter unset or set to None to use a default entropy.

import secrets


token = secrets.token_bytes()

False Positives

---

In the case of a false positive the rule can be suppressed. Simply add a trailing or preceding comment line with either the rule ID (PY028) or rule category name (insufficient_token_length).

Using rule ID

fix

import secrets


# suppress: PY028
token = secrets.token_bytes(16)

Using category name

fix

import secrets


# suppress: insufficient_token_length
token = secrets.token_bytes(16)

See also

---

info

• secrets — Generate secure random numbers for managing secrets
• CWE-326: Inadequate Encryption Strength